Académique Documents
Professionnel Documents
Culture Documents
CORPORATE H EADQUARTERS
5090 N. 40th Street
Phoenix, AZ 85018
Phone: 1 818-575-4000
COPYRIGHT NOTICE
Copyright © 2018 BeyondTrust Software, Inc. All rights reserved.
The information contained in this document is subject to change without notice.
No part of this document may be photocopied, reproduced or copied or translated in any manner to another
language without the prior written consent of BeyondTrust Software.
BeyondTrust Software is not liable for errors contained herein or for any direct, indirect, special, incidental or
consequential damages, including lost profit or lost data, whether based on warranty, contract, tort, or any other
legal theory in connection with the furnishing, performance, or use of this material.
All brand names and product names used in this document are trademarks, registered trademarks, or trade names
of their respective holders. BeyondTrust Software is not associated with any other vendors or products mentioned
in this document.
Contents
Contents
Introduction 4
Overview 4
Configuring SELinux 15
Installing SELinux on Unsupported Platforms 15
Configuring SELinux After Installing 15
Introduction
This guide provides information on setting up PBIS Open Edition.
If you experience issues when deploying PBIS Open, visit the following website:
https://github.com/BeyondTrust/pbis-open/issues
Overview
PowerBroker Identity Services Open Edition is an agent-based tool that allows you to connect Linux, Unix, and Mac
OS X computers to Microsoft Active Directory for consistent security policy across your entire environment.
To get started with PBIS Open:
• Install the PBIS agent
• Join a domain
• Log on using Active Directory credentials
Depending on your environment, you might also need to set common options and give your domain account admin
rights.
If you already have a previous version of PBIS Open or Likewise Open installed, upgrade to the latest version.
Linux
To deploy the agent to a Linux computer:
1. As root, run the installer, substituting the file name of the installer:
sh ./pbis-open-version number.build number-linux-i386-rpm.sh
Mac OS X
Note: To access a Mac using ssh, turn on remote login. For more information, go to the Apple website.
To deploy the agent to a Mac computer:
1. Log on to the Mac computer using a local account with administrator privileges.
2. On the desktop, double-click the PBIS .dmg file, and then double-click the PBIS .mpkg file.
3. Go through the wizard.
To join a computer to a domain, you must use the root account and have credentials for an Active Directory
account that has privileges to join computers to a domain.
1. In the Domain box, enter the fully qualified domain name (FQDN) of the Active Directory domain.
Example: CORP.EXAMPLE.COM
The following screen capture shows the Linux GUI. The Mac GUI is similar.
2. To avoid typing the domain prefix before the user or group name each time you log on, select Enable default
user name prefix and enter the domain prefix in the box. Example: CORP
3. (Optional). Under Organizational Unit, select Specific OU Path to join the computer to an organizational unit
(OU) and then type the path in the box.
The OU path is from the top of the Active Directory domain down to the OU.
4. Click Join Domain.
5. Enter the user name and password of an Active Directory account that has privileges to join computers to the
domain and then click OK.
After you join a domain for the first time, you must restart the computer before you can log on.
• Down-level logon
Visit the following website for more information:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa380525(v=vs.85).aspx
To log on:
1. Log out of the current session.
2. Log on the system console using your Active Directory user account.
If you did not set a default domain, log on the system console by using an Active Directory user account in the
form of DOMAIN\username or username@domain.com where DOMAIN is the Active Directory domain
name.
Example:
example\kathy
kathy@example.com
Important: When you log on from the command line, for example with ssh, you must use a slash to escape the
slash character, making the logon form DOMAIN\\username.
Use the --detail argument to view the setting's current value and to determine the values that it accepts.
Set the value to true.
Use the --show argument to confirm that the value was set to true.
Here is another example. To set the shell for a domain account, run config as root with the
LoginShellTemplate setting followed by the path and shell:
Environment Variables
Before installing the PBIS agent, make sure that the following environment variables are not set:
LD_LIBRARY_PATH, LIBPATH, SHLIB_PATH, LD_PRELOAD
Setting any of these environment variables violates best practices for managing Unix and Linux computers because
it causes PBIS to use non-PBIS libraries for its services. For more information on best practices, see
http://linuxmafia.com/faq/Admin/ld-lib-path.html.
If you must set LD_LIBRARY_PATH, LIBPATH, or SHLIB_PATH for another program, put the PBIS library path
(/opt/pbis/lib or /opt/pbis/lib64) before any other path—but keep in mind that doing so may result in
side effects for other programs, as they will now use PBIS libraries for their services.
If joining the domain fails with an error message that one of these environment variables is set, stop all the PBIS
services, clear the environment variable, make sure it is not automatically set when the computer restarts, and
then try to join the domain again.
Patch Requirements
It is recommended that the latest patches for an operating system be applied before installing PBIS.
Sun Solaris
All Solaris versions require the md5sum utility, which can be found on the companion CD.
Visit the Oracle Technology Network Patching Center to ensure the latest patches are deployed to Solaris targets.
HP-UX
Visit the HP Software Depot to download patches.
Secure Shell: For all HP-UX platforms, it is recommended that a recent version of HP's Secure Shell be installed.
Sudo: By default, the versions of sudo available from the HP-UX Porting Center do not include the Pluggable
Authentication Module, or PAM, which PBIS requires to allow domain users to execute sudo commands with
super-user credentials. It is recommended that you download sudo from the HP-UX Porting Center and make sure
that you use the with-pam configuration option when you build it.
HP-UX 11iv1 requires the following patches: PHCO_36229, PHSS_35381, PHKL_34805, PHCO_31923, PHCO_
31903, and PHKL_29243.
The patches listed here represent the minimum patch level for proper operation. The patches might be
superceded by later patches.
Kerberos client libraries: For single sign-on with HP-UX 11.11 and 11.23, install the latest KRB5-Client libraries from
the HP Software Depot. By default, HP-UX 11.31 includes the libraries.
Locale
Configure the locale with UTF-8 encoding for every target computer.
Secure Shell
To properly process logon events with PBIS, the SSH server or client must support the UsePam yes option.
For single sign-on, both the SSH server and the SSH client must support GSSAPI authentication.
Other Software
Telnet, rsh, rcp, rlogin, and other programs that use PAM for processing authentication requests are compatible
with PBIS.
Networking Requirements
Each Unix, Linux, or Mac computer must have fully routed network connectivity to all the domain controllers that
service the computer's Active Directory site. Each computer must be able to resolve A, PTR, and SRV records for
the Active Directory domain, including at least the following:
• A domain.tld
• SRV _kerberos._tcp.domain.tld
• SRV _ldap._tcp.domain.tld
• SRV _kerberos._udp.sitename.Sites._msdcs.domain.tld
• A domaincontroller.domain.tld
AIX
On AIX computers, PAM must be enabled. LAM is supported only on AIX 5.x. PAM must be used exclusively on AIX
6.x.
./pbis-enterprise-x.x.x.xxxx.solaris.i386.pkg.sh -- --help
./pbis-enterprise-x.x.x.xxxx.solaris.i386.pkg.sh -- --all-zones
./pbis-enterprise-x.x.x.xxxx.solaris.i386.pkg.sh -- --current-zone
Post Install
After a new child zone is installed, booted, and configured, you must run the following command as root to
complete the installation:
/opt/pbis/bin/postinstall.sh
You cannot join zones to Active Directory as a group. Each zone, including the global zone, must be joined to the
domain independently of the other zones.
Caveats
There are some caveats when using PBIS with Solaris zones:
• When you join a non-global zone to AD, an error occurs when PBIS tries to synchronize the Solaris clock with
AD.
The error occurs because the root user of the non-global zone does not have root access to the underlying
global system and thus cannot set the system clock. If the clocks are within the 5-minute clock skew permitted
by Kerberos, the error will not be an issue.
Otherwise, you can resolve the issue by manually setting the clock in the global zone to match AD or by joining
the global zone to AD before joining the non-global zone.
• Some Group Policy settings may log PAM errors in the non-global zones even though they function as
expected. The cron Group Policy setting is one example:
Depending on the Group Policy setting, these errors may result from file access permissions, attempts to write
to read-only directories, or both.
• By default, Solaris displays auth.notice syslog messages on the system console. Some versions of PBIS
generate significant authentication traffic on this facility-priority level, which may lead to an undesirable
amount of chatter on the console or clutter on the screen.
To redirect the traffic to a file instead of displaying it on the console, edit your /etc/syslog.conf file as
follows:
Change this:
*.err;kern.notice;auth.notice /dev/sysmsg
To this:
*.err;kern.notice /dev/sysmsg
auth.notice /var/adm/authlog
Important: Make sure that you use tabs, not spaces, to separate the facility.priority information (on the left) from
the action field (on the right). Using spaces will cue syslog to ignore the entire line.
Configuring SELinux
Be sure to review the latest SELinux documentation. You can start with the SELinux wiki,
http://www.selinuxproject.org/page/Main_Page
The file pbislocal.pp will be a compiled policy module and can be loaded with semodule -i pbislocal.pp.
To build a compiled policy, execute the following command in the directory where pbislocal.te is located:
make -f /usr/share/selinux/devel/Makefile
Leave a Domain
When a computer is removed from a domain, PBIS retains the settings that were made to the computer's
configuration when it was joined to the domain. Changes to the nsswitch module are also preserved until you
uninstall PBIS, at which time they are reverted.
Before leaving a domain, run the following command to view the changes that will take place:
domainjoin-cli leave --advanced --preview domainName
Example:
[root@rhel4d example]# domainjoin-cli leave --advanced --preview exmple.com
Leaving AD Domain:
EXAMPLE.COM
[X] [S] ssh - configure ssh and sshd
[X] [N] pam - configure pam.d/pam.conf
[X] [N] nsswitch - enable/disable PowerBroker Identity Services nsswitch module
[X] [N] stop - stop daemons
[X] [N] leave - disable machine account
[X] [N] krb5 - configure krb5.conf
[F] keytab - initialize kerberos keytab
Key to flags
[F]ully configured - the system is already configured for this step
[S]ufficiently
- the system meets the minimum configuration requirements for this step
configured
[N]ecessary - this step must be run or manually performed
[X] - this step is enabled and will make changes
[ ] - this step is disabled and will not make changes
For information on advanced commands for leaving a domain, see Join Active Directory from the Command Line.
3. On the Services tab, click the lock and enter an administrator name and password to unlock it.
4. In the list, click Likewise, and then click Configure.
5. Enter a name and password of a local machine account with administrative privileges.
6. On the menu bar at the top of the screen, click the Domain Join Tool menu, and then click Join or Leave
Domain.
7. Click Leave.
To completely remove all files related to PBIS from your computer, run the command as follows instead. If using
this command and option, you do not need to leave the domain before uninstalling.
/opt/pbis/bin/uninstall.sh purge